For years most of the security companies have used classification as a way of identifying the classes of attack tools that hackers use to get into a system. So, John Doe hacker hits a credit union in Idaho and investigators want to find out what tools were used and what the defenses against those tools should be. Security research firms use different names for hacker tools, but this helps to get to a common understanding of where these tools originate and how they spread. This helps improve defenses and gives basic knowledge of the classes of tools being used across the world. Security vendors build those profiles and various types of tools like antivirus and end-point solutions.
FireEye has identified the use of tool of hackers to undo that capability. Delphi is a programming language that is a development environment used in the design of object oriented software. When used with hacker tools it can mask those and make them look like other legitimate programs. What FireEye saw was the lengths it goes to to avoid detection in analysis by security vendors, how well it checks for things such as the user updates applied to their own systems (security patches). Tara Seals has a nice explanation of how this all works together.
Hacker tools have been running encrypted, stored encrypted and made more difficult to detect as a matter of commercial survival. People sell these things to make money and they want them to work without being detected within seconds after they have been installed. In some cases that would be too late, but in most that allows the tool to be set in place before security tools can detect it. If a tool can run undetected, it can wait until conditions are right for its use, then execute. I see this an incremental jump in detection defense that will cause security vendors real problems in the long run. What good is vendor security tools that will not detect what hackers are using to get into systems? Not much.
As long as security vendors and hackers do not make serious technology advances they stay in balance. That balance is good for both sides. Hackers can still get into most systems, but a determined defender can keep them out. When the balance tilts, the other side has to devote more time and effort to do better. The vast number of security vendors have not been keeping up, though FireEye is one of the better ones. You and I can do very little about either of these things. We rely on vendors to save us from the hacker. When they can't, we are in real trouble. We need to be more careful about paying monthly fees for software that isn't detecting what is really out there. Testing the tools they use is the best way to do that, and vendors are only now just getting around to detection of some of the most sophisticated penetration tools on the black market.
No comments:
Post a Comment